b'Audit Report\n\n\n\n\nOIG-12-078\nINFORMATION TECHNOLOGY: Sufficient Protections Were In\nPlace for Departmental Offices\xe2\x80\x99 Network and Systems\nSeptember 14, 2012\n\n\n\n\nThis report has been reissued to correct the report number from\nOIG-12-073 to OIG-12-078.\n\n\n\nOffice of\nInspector General\nDepartment of the Treasury\n\x0c\x0cContents\n\nAudit Report\nResults in Brief ..............................................................................................       1\n\nBackground .................................................................................................          2\n\nFindings and Recommendations .......................................................................                  3\n\n        Some DO LAN Devices Were Configured with Insecure Default Usernames\n        and Passwords .....................................................................................           3\n        Recommendation ..................................................................................             4\n\n        Some DO LAN Servers Were Missing the Latest Service Packs or Running\n        Obsolete Operating System ....................................................................                5\n        Recommendations.................................................................................              6\n\n        Weaknesses Were Found in Physical Security Practices at DO Buildings ......                                   6\n\nAppendices\n\n    Appendix     1:       Objectives, Scope, and Methodology ....................................                    9\n    Appendix     2:       Management Response .......................................................               10\n    Appendix     3:       Major Contributors to This Report .........................................               13\n    Appendix     4:       Report Distribution ..............................................................        14\n\nAbbreviations\n\n    DO                    Departmental Offices\n    CIO                   Chief Information Officer\n    LAN                   Local Area Network\n    SP                    Service Pack\n    UPS                   Uninterruptable power supply\n    IT                    Information Technology\n\n\n\n\n                          Sufficient Protections Were In Place for Departmental Offices\xe2\x80\x99 Network                  Page i\n                          and Systems (OIG-12-078)\n\x0cThis Page Intentionally Left Blank\n\x0c                                                                                            Audit\nOIG\nThe Department of the Treasury\n                                                                                            Report\nOffice of Inspector General\n\n                       September 14, 2012\n\n                       Robyn East\n                       Deputy Assistant Secretary for Information Systems and\n                         Chief Information Officer\n\n                       This report represents the result of our audit of network and\n                       systems security at the Departmental Offices (DO). Our overall\n                       objective was to determine whether sufficient protections\n                       existed to prevent intrusions into DO\xe2\x80\x99s network and systems.\n                       Specifically, we performed vulnerability assessments and\n                       penetration tests of DO\xe2\x80\x99s local area network (LAN), as\n                       necessarily limited by DO\xe2\x80\x99s operational needs and sensitivity of\n                       DO LAN\xe2\x80\x99s critical mission.\n\n                       To accomplish our objective, we performed a series of internal\n                       vulnerability assessments and attempted penetration tests on\n                       selected DO LAN desktops, servers, equipment, and\n                       infrastructure devices. We also tested the physical security of\n                       Treasury facilities, performed social engineering testing by email\n                       phishing, 1 and conducted remote access security testing. In\n                       accordance with the agreed upon Rules of Engagement with the\n                       Department, we excluded a number of systems on the DO LAN\n                       and test procedures that could have adversely affected\n                       operations and resulted in denial of service attacks.\n\n                       We performed our fieldwork in Washington, DC, from December\n                       2011 through April 2012. The audit was performed in\n                       accordance with generally accepted government auditing\n                       standards. Our objectives, scope, and methodology are\n                       described in more detail in appendix 1.\n\nResults in Brief\n                       We determined that DO had sufficient protections in place for\n                       its LAN. We did not find any critical vulnerabilities on the\n\n1\n  Phishing is an e-mail fraud method in which the perpetrator sends out legitimate-looking e-mail in\nan attempt to gather information from recipients.\n\n\n                       Sufficient Protections Were In Place for Departmental Offices\xe2\x80\x99 Network      Page 1\n                       and Systems (OIG-12-078)\n\x0c             desktops and servers tested. In addition, DO\xe2\x80\x99s email systems\n             prevented our email phishing attacks from being executed\n             successfully. However, we did identify weaknesses that should\n             be remediated to strengthen the security protection for DO LAN.\n             Specifically, we found some DO LAN devices were configured\n             with insecure default usernames and passwords. We also noted\n             a number of DO LAN servers were missing the latest service\n             packs or running obsolete operating systems. Lastly, we\n             identified weaknesses in physical security practices at Treasury\n             buildings, which were quickly addressed after being identified.\n\n             We are making three recommendations to the Deputy Assistant\n             Secretary for Information Systems and Chief Information Officer\n             (CIO) to address these findings. With regard to the weaknesses\n             in physical security practices, we are not making any specific\n             recommendations at this time because after bringing it to\n             management\xe2\x80\x99s attention, the matter was promptly addressed\n             and adequately resolved during the course of our audit.\n\n             In a written response to a draft copy of this report, the Treasury\n             CIO agreed with our findings and recommendations and\n             provided corrective action plans (see appendix 2). Treasury\xe2\x80\x99s\n             planned and reported corrective actions are responsive to the\n             intent of our recommendations.\n\nBackground\n             The Federal Information Security Management Act, Title III of\n             the E-Government Act of 2002, requires each federal agency\xe2\x80\x99s\n             information security program to provide information security for\n             the information and information systems that support the\n             operations and assets of the agency. The program should\n             include periodic assessments of the risk and magnitude of the\n             harm that could result from the unauthorized access, use,\n             disclosure, disruption, modification or destruction of information\n             and information systems that support the operations and assets\n             of the agency. Specifically, agencies are required to perform\n             periodic testing and evaluation of management, operational, and\n             technical controls of information systems depending on risks;\n             and institute a process for planning, implementing, evaluating\n             and documenting remedial action to address any deficiencies or\n             exploits.\n             Sufficient Protections Were In Place for Departmental Offices\xe2\x80\x99 Network   Page 2\n             and Systems (OIG-12-078)\n\x0c                      The Department of the Treasury is organized into two major\n                      components: DO and the operating bureaus. DO is primarily\n                      responsible for the formulation of policy and management of the\n                      Department of the Treasury as a whole, while the operating\n                      bureaus and offices carry out the specific operations assigned\n                      to Treasury.\n\nFindings and Recommendations\n\nFinding 1             Some DO LAN Devices Were Configured with Insecure\n                      Default Usernames and Passwords\n\n                      As part of our network and system security assessment of the\n                      DO LAN, we performed network scans to determine the types,\n                      names, Internet Protocol addresses, 2 and potential\n                      vulnerabilities of systems to test. Using the information\n                      gathered from our scans, we found that two printers, one\n                      uninterruptible power supply (UPS), and a tape backup device\n                      were configured with manufacturer preset default usernames\n                      and passwords.\n\n                      Using the manufacturer preset default usernames and\n                      passwords, we were able to successfully gain administrative\n                      privileges to these devices. On both printers, we gained\n                      administrative privileges by connecting to their web interface\n                      without providing any username or password, also known as an\n                      anonymous login. We also gained administrative privileges to a\n                      UPS device and tape backup device by connecting to their web\n                      interface using the default usernames and passwords.\n\n                      DO LAN System Security Plan, v1.4, dated June 29, 2011,\n                      states that DO has implemented Authenticator Management\n                      (Identification and Authentication Control). Furthermore,\n                      according to National Institute of Standards and Technology\n                      Special Publication 800-53, Revision 3, \xe2\x80\x9cRecommended\n                      Security Controls for Federal Information Systems,\xe2\x80\x9d requires\n                      organizations to manage information system authenticators for\n\n2\n  An Internet Protocol address is a unique number that every device connected to the network or\nInternet is assigned.\n\n                      Sufficient Protections Were In Place for Departmental Offices\xe2\x80\x99 Network      Page 3\n                      and Systems (OIG-12-078)\n\x0c                      users and devices by changing default content of authenticators\n                      upon installation.\n\n                      By leaving the default usernames and passwords unchanged,\n                      anyone with internal network access could gain unauthorized\n                      access to printers and potentially use them as a platform to\n                      launch attacks against other systems connected to the DO LAN,\n                      install malicious firmware 3 on the printer, access any document\n                      sent to the printers, and flood the printers with print jobs.\n                      Similarly, an attacker could login to cause damage and/or loss\n                      of power to the UPS and any systems attached to it, causing\n                      potential loss of data. If a system attached to the UPS is in the\n                      middle of writing data when the attacker cut the power, the\n                      system may not be able to gracefully shutdown, and the data\n                      being written may be lost and/or corrupted. In addition, the\n                      attacker could alter the power settings on the UPS causing the\n                      device to suffer damage including, but not limited to, sparks,\n                      smoke, and fire. Lastly, using these default logins, unauthorized\n                      users could compromise tape backup devices, including\n                      changing the tape backup schedule, moving loaded tapes to\n                      unexpected locations, causing data to be overwritten, or\n                      installing malicious firmware.\n\n                      Based on our Rules of Engagement, we did not attempt to\n                      perform the above actions to avoid adverse impact such as\n                      interruption of services or shutdown of these devices.\n\n                      Recommendation\n\n                      We recommend that the CIO ensure that default user names\n                      and passwords on all devices be changed and anonymous login\n                      be disabled.\n\n                      Management Response\n\n                      Treasury concurred with this recommendation. Treasury stated\n                      that the identified devices have been addressed to ensure that\n                      any default user name or password has been changed. Treasury\n\n3\n Firmware is a software program or set of instructions programmed on a hardware device. It\nprovides the necessary instructions for how the device communicates with the other computer\nhardware.\n\n                      Sufficient Protections Were In Place for Departmental Offices\xe2\x80\x99 Network   Page 4\n                      and Systems (OIG-12-078)\n\x0c            will update its procedures for installing peripheral equipment to\n            ensure that no default user names or passwords are left on\n            peripheral devices during the installation process. In addition,\n            Treasury will also conduct a complete review of existing\n            peripheral equipment to ensure that all web enabled devices\n            have had manufacturer presets disabled. A corrective action\n            plan will be developed and implemented by September 28,\n            2012.\n\n            OIG Comment\n\n            Management\xe2\x80\x99s reported and planned corrective actions are\n            responsive to our recommendation.\n\nFinding 2   Some DO LAN Servers Were Missing the Latest\n            Service Packs or Running Obsolete Operating System\n\n            From our scans, we found some servers on DO LAN were\n            missing the most up-to-date service packs (SP) or were running\n            obsolete operating system software. Specifically, we found:\n\n                \xe2\x80\xa2   15 servers were running Windows 2008 R2, SP 0. The\n                    current version is SP 1, released on February 22, 2011.\n\n                \xe2\x80\xa2   4 servers were running Windows 2008, SP 1. The\n                    current version is SP 2, released on April 29, 2009.\n\n                \xe2\x80\xa2   2 servers were running Windows 2000. This operating\n                    system is no longer supported by Microsoft as of July 13,\n                    2010.\n\n            National Institute of Standards and Technology Special\n            Publication 800-53, Revision 3, requires that the organization to\n            promptly install security-relevant software updates (e.g.,\n            patches, service packs, and hot fixes).\n\n            Servers without the latest service packs may not have the most\n            recent patches necessary to fix known software vulnerabilities,\n            while servers running unsupported operating systems do not\n            receive any official patches at all. As a result, the vulnerabilities\n            from these missing patches may leave DO servers susceptible\n\n            Sufficient Protections Were In Place for Departmental Offices\xe2\x80\x99 Network   Page 5\n            and Systems (OIG-12-078)\n\x0c            to internal or external attacks which could lead to unauthorized\n            access or compromise of Treasury\xe2\x80\x99s sensitive data.\n\n            Recommendations\n\n            We recommend that the CIO do the following:\n\n            1. Test and install the latest service packs for all servers, as\n               appropriate.\n\n            Management Response\n\n            Treasury concurred with this recommendation. Treasury stated\n            that, as of August 31, 2012, the identified systems have had\n            the latest service packs installed.\n\n            OIG Comment\n\n            Management\xe2\x80\x99s reported corrective action is responsive to our\n            recommendation.\n\n            2. Upgrade servers running obsolete operating systems to a\n               supported version.\n\n            Management Response\n\n            Treasury concurred with this recommendation. Treasury will\n            retire or upgrade all servers running on old operating systems. It\n            is anticipated that this corrective action will be implemented by\n            March 30, 2013.\n\n            OIG Comment\n\n            Management\xe2\x80\x99s planned corrective action is responsive to our\n            recommendation.\n\nFinding 3   Weaknesses Were Found in Physical Security Practices\n            at DO Buildings\n\n            We found weaknesses in the physical security practices at a DO\n            facility that allowed us unauthorized access into Treasury\n            buildings. Specifically, we were able to bypass security\n            Sufficient Protections Were In Place for Departmental Offices\xe2\x80\x99 Network   Page 6\n            and Systems (OIG-12-078)\n\x0cprocedures on two occasions. An incident occurred at a DO\nbuilding where we gained entry without being challenged by the\nofficer on post. Another incident occurred where we found no\nofficer at the entrance. Although we possess valid credentials,\nwe were able to gain entry into the building without using the\ncredentials. The Office of Security Programs was notified about\nthis issue, and it was resolved promptly. Subsequently, on\nseveral occasions, we retested DO LAN physical security\ncontrols and found that the deficiencies had been addressed.\nTherefore, we are not making a recommendation at this time.\n\nThe DO LAN System Security Plan specifies the controls that\nshould be in place for physical security. Such controls may\ninclude the use of guards, identification badges, or entry\ndevices such as key cards or biometrics. According to this\npolicy, employees entering into Treasury facilities are required\nto display their Treasury badge.\n\nDO P-910, Department of the Treasury Departmental Offices\nInformation Technology Security Policy Handbook v2.0, dated\nJanuary 1, 2012, requires controls to be in place at all times to\nprevent unauthorized individuals from accessing DO data and\nsystem components. Specifically, individuals must have their\nidentification checked and submit to a reasonable inspection in\naccordance with Treasury Directive Publication 15-71, Treasury\nSecurity Manual, Chapter V section 1, updated June 17, 2011,\nbefore being granted access to the facility.\n\nAs previously mentioned, the matter was promptly addressed\nand adequately resolved. Accordingly, we are not making a\nrecommendation at this time.\n\n\n\n\nSufficient Protections Were In Place for Departmental Offices\xe2\x80\x99 Network   Page 7\nand Systems (OIG-12-078)\n\x0c                                   ******\n\nI would like to extend my appreciation to the CIO and to the DO\nInformation Technology (IT) staff for the cooperation and\ncourtesies extended to my staff during the audit. If you have\nany questions, please contact me at (202) 927-5171 or\nFarbod Fakhrai, IT Audit Manager, at (202) 927-5841. Major\ncontributors to this report are listed in appendix 4.\n\n\n/s/\n\nTram Jacquelyn Dang\nAudit Director\n\n\n\n\nSufficient Protections Were In Place for Departmental Offices\xe2\x80\x99 Network   Page 8\nand Systems (OIG-12-078)\n\x0cAppendix 1\nObjectives, Scope and Methodology\n\n\n\nThe overall objective of this audit was to determine whether\nsufficient protections existed to prevent intrusions into\nTreasury\xe2\x80\x99s Departmental Office (DO) network and systems. This\naudit was included in the Office of Inspector General Annual\nPlan for 2012.\n\nTo accomplish our objective, we performed our fieldwork in\nWashington, DC, from December 2011 through May 2012. We\nperformed a series of internal vulnerability assessments and\nattempted penetration tests on selected DO Local Area Network\n(LAN) desktops, servers, equipment, and infrastructure devices.\nWe also tested the physical security of Treasury facilities,\nperformed social engineering testing by email phishing, and\nconducted remote access security testing. In accordance with\nthe agreed upon Rules of Engagement with the Department, we\nexcluded a number of systems on the DO LAN and test\nprocedures that could have adversely affected operations and\nresulted in denial of service attacks. Our tests were performed\nduring off-peak hours to avoid unintended disruption to the\nnetwork.\n\nWe conducted this performance audit in accordance with\ngenerally accepted government auditing standards. Those\nstandards require that we plan and perform the audit to obtain\nsufficient, appropriate evidence to provide a reasonable basis\nfor our findings and conclusions based on our audit objectives.\nWe believe that the evidence obtained provides a reasonable\nbasis for our findings and conclusions based on our audit\nobjectives.\n\n\n\n\nSufficient Protections Were In Place for Departmental Offices\xe2\x80\x99 Network   Page 9\nand Systems (OIG-12-078)\n\x0cAppendix 2\nManagement Response\n\n\n\n\nSufficient Protections Were In Place for Departmental Offices\xe2\x80\x99 Network   Page 10\nand Systems (OIG-12-078)\n\x0cAppendix 2\nManagement Response\n\n\n\n\nSufficient Protections Were In Place for Departmental Offices\xe2\x80\x99 Network   Page 11\nand Systems (OIG-12-078)\n\x0cAppendix 2\nManagement Response\n\n\n\n\nSufficient Protections Were In Place for Departmental Offices\xe2\x80\x99 Network   Page 12\nand Systems (OIG-12-078)\n\x0cAppendix 3\nMajor Contributors to This Report\n\n\n\n\nOffice of Information Technology (IT) Audits\n\nTram J. Dang, Audit Director\nFarbod Fakhrai, IT Audit Manager\nLarissa Klimpel, Auditor-in-Charge\nKevin Mfume, IT Specialist\nMitul Patel, IT Specialist\nDon\xe2\x80\x99te Kelley, IT Specialist\nChristen Stevenson, Referencer\n\n\n\n\nSufficient Protections Were In Place for Departmental Offices\xe2\x80\x99 Network   Page 13\nand Systems (OIG-12-078)\n\x0cAppendix 4\nReport Distribution\n\n\n\n\nDepartment of the Treasury\n\n    Office of the Chief Information Officer\n    Office of Security Programs\n    Office of Strategic Planning and Performance Management\n    Office of the Deputy Chief Financial Officer, Risk and Control\n       Group\n\nOffice of Management and Budget\n\n    Office of Inspector General Budget Examiner\n\n\n\n\nSufficient Protections Were In Place for Departmental Offices\xe2\x80\x99 Network   Page 14\nand Systems (OIG-12-078)\n\x0c'